At a recent Cybersecurity Summit we attended, we took note of several statistics we’d like to share with you, our manufacturing insurance clients. Did you know:
- 60% of cyber attacks occur at small businesses;
- 50% of small businesses report being the target of a cyber attack;
- 21% of manufacturers have suffered a loss of intellectual property;
- 88% of procurement departments would consider discontinuing doing business with a supplier because of a breach; and
- 29% of small businesses are unfamiliar with the measures to take to improve cybersecurity?
Even more alarming than the above findings is that the manufacturing sector is now among one of the most frequently hacked industries, second only to healthcare, according to the IBM X-Force 2016 Cyber Security Intelligence Index. Manufacturing rose from third place in last year’s report to take the second spot in 2016.
Additionally, the 2016 Manufacturing Report by professional services firm Sikich noted a rise in attacks on the manufacturing sector – with theft of intellectual property as a primary motive. “The FBI estimated that $400 billion of intellectual property is leaving the U.S. each year because of cyber attacks,” and nation-state actors and other adversaries are starting to target manufacturing companies for this information, according to Brad Lutgen, a partner in Sikich’s compliance and security practice.
The Causes of Cyber Attacks
There are several reasons why manufacturers are increasingly the targets of cyber attacks, including the fact that many shops are behind the curve in security. Manufacturers, for the most part, have not been held to compliance standards like the financial services sector has, with the Payment Card Industry Data Security Standards, or in the case of the healthcare industry, with the Health Insurance Portability and Accountability Act (HIPAA). As a result, there hasn’t been the same level of security awareness in manufacturing as in other industry verticals, leaving manufacturers exposed to cyber criminals who are continually looking to hit vulnerable businesses. It is important to note, however, manufacturers doing business with the Department of Defense (DOD), do need to follow minimum safeguards as outlined in the NIST Special Publication 800-171, which will require full compliance by year-end. We will devote a separate article next month on cyber security for manufacturers doing business with the DOD.
Another reason for the uptick in attacks is the proliferation of interconnected systems and data- running factories, production, and the supply chain. The industrial Internet of Things (IOT) has allowed indiscriminate internetworking among manufacturers. To reap the benefits of IOT, networks are connected seamlessly, but these networks, unfortunately, operate at very different levels of trust. According to IT security experts, manufacturers are deploying firewalls and encryption, thinking that if they are enough to keep them safe on IT (information technology) networks, they must be sufficient for OT (operational technology) networks, too. The problem, experts say, is that every message might be an attack, whether it appears in the form of plain text or encrypted, and the consequences of attacks on manufacturing networks can be costly. For example, if an attacker tampers with an automobile robot, incorrect components may be produced that can trigger massive recalls when the flaws are discovered down the road. Unlike IT computers, we can’t restore from backup any damaged products.
Minimizing Your Manufacturing Shop’s Exposure to Cyber Attacks
Following are several general and specific measures to take to mitigate the risk of a cyber attack:
- Conduct an annual IT risk assessment to properly understand the origin of potential threats. Pull a cyber attack specialist into the risk assessment. Demonstrate the physical and cyber designs of the manufacturing systems, explain the worst physical consequences possible with these systems, and ask how the specialist would attack your system to bring about those consequences.
- Conduct ongoing vulnerability scanning throughout the year to help your firm stay up-to-date with new threats.
- Use a wireless network with the latest generation of encryption for your IT system. However, a manufacturer’s shop’s most sensitive information should not be accessible from a wireless connection.
- Ensure all personal computers and servers on the network have the latest security updates. A manufacturer’s network for machine monitoring typically includes connections to a number of PCs – from desktops used in engineering, programming and management offices to PCs that are part of the control systems on CNC machine tools. Any PC that hasn’t had security updates to its software is much more vulnerable to phishing emails and viruses when opening unknown email attachments or running suspicious downloaded applications. Phishing schemes are designed to steal or modify sensitive company data in order to find bank account details or steal credit card numbers. A popular phishing scheme in the last few years involves scamming a company into sending a wire transfer by uploading malware onto a business computer and gaining access to email accounts that send unsecured wire transfers. Once the criminal gains access to the account, they then have control of altering and managing the wire transfers, and fraudulently exposing the wire transfers for personal gain.
- Purchase a hardware firewall for IT networks and make sure it’s updated. A firewall is designed to block unauthorized access while permitting outward communication. But for an IT network communicating with a manufacturing network, or between the manufacturing network and a safety network — something stronger than a firewall is needed. Manufacturers are increasingly using unidirectional security gateway technology. The gateways physically permit information to flow in one direction, and physically block anything at all traveling in the other direction. Unidirectional gateways permit continuous monitoring of manufacturing networks from IT, or from the open Internet, without allowing any attack to flow back into manufacturing, safety and other cyber-physical networks.
- Enforce strong and complex passwords. Ensure that any cloud service enforces the use of strong passwords over HTTPS, the secure version of the Internet’s basic operating system. Change the passwords periodically and be sure that different passwords are used for every site or account.
This is the time you might be saying to yourself, “This sounds way too complicated and besides, it will never happen to me!” If you are one of those people, please take a moment and go back to the beginning and reread the foreboding statistics.
Manufacturers like any other industry sector need to step up their security measures in today’s new normal of increased cyber attacks and sophisticated methods being utilized by criminals. This is particularly true as more manufacturing shops adopt advanced technologies to develop and deliver products and parts. Precision Manufacturing Insurance Services (PMIS) specializes in insuring the manufacturing industry and can assist you with risk management strategies to help mitigate cyber attacks as well as provide you with Cyber Liability insurance to respond in the event of a loss. Cyber Liability insurance addresses many of the exposures a business faces, and can be designed to pay for things like the cost of forensics to determine how a breach occurred, data or system restoration, business interruption as a result of a breach, crisis management to repair any damage done to your company’s reputation as a result of a cyber attack, and litigation expenses, among others. For more information about PMIS’ manufacturing insurance solutions, please contact us at 855.910.5788.